If you’re a government contractor, you’re familiar with the Cybersecurity Maturity Model Certification (CMMC), developed by the Department of Defense (DoD) to create environments conducive to safeguarding government information. Now, a new CMMC iteration is on the way. Here’s what you need to know.
While the history of CMMC dates to 2010, it wasn’t until November of 2020 that CMMC 1.0 was implemented as an interim rule. CMMC 1.0 contained five maturity levels ranging from “basic cyber hygiene” to “advanced and progressive cyber hygiene.” Within those five levels were 14 control families and 110 different controls, with the required maturity level dependent on the classification level of the information in the contract. The overall goal was to move away from the original self-attestation model to one that featured scrutiny from third parties.
Now, CMMC 2.0 is in the works, or more specifically in the rulemaking process. Announced in November of 2021, version 2.0 is an attempt to both strengthen and streamline the rule. In place of the five maturity levels of CMMC 1.0, this version has three: Foundational, Advanced and Expert.
The Foundational level (or Level 1) continues to allow for an annual self-assessment by the provider, and is for businesses possessing federal contract information (FCI). Level 2, Advanced, requires triannual 3rd-party assessments and is for businesses in possession of controlled unclassified information (CUI). The Expert category, Level 3, requires triannual governmental assessments and is for businesses possessing CUI and participating in high-priority programs. The DoD also notes that CMMC 2.0 is largely aligned with the already widely observed cybersecurity standards from the National Institute of Standards and Technology (NIST).
CMMC 2.0 Compliance and Costs
In some cases, CMMC is already a requirement for awarding of contracts, and going forward will be required more frequently. Compliance requires efforts in the areas of technology, program development, auditing and certification. As you might imagine, this can be a substantial undertaking, especially at the two higher levels. While the DoD suggests that assessment costs might actually be reduced, one estimate we’ve seen suggests that total costs of implementation and certification might run between $30,000 and $200,000 for each contractor.
Timing for CMMC 2.0
With CMMC 2.0 in the rulemaking process, it’s not so much an immediate concern as something that companies doing business with the government should begin preparing for. The DoD estimates that rulemaking might take up to 24 months, and that its requirements might be phased in over a period of as much as five years. For now, the DoD somewhat vaguely encourages contractors to “continue to enhance their cybersecurity process … while rulemaking is underway.” New contract solicitations will specify the required CMMC level.
However, given the complexity of CMMC requirements and the anticipated costs of certification and implementation, companies doing business with the government would be wise to begin preparing now. Hill Tech is here to help with readiness, controls implementation and preparation work.
Questions about CMMC 2.0? Contact Hill Tech Solutions.